Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: TXT or HTML? -- IE NEW BUG

From: Rebecca Kastl <rkastl () neohapsis com>
Date: Mon, 30 Jul 2001 01:10:40 -0500 (CDT)
Microsoft's response is valid in many respects, but they do fail to address
one specific issue.

Some corporate security policies (such as firewall rules, content filters,
AUP, SecPol, etc.) expressly prohibit such things as ActiveX, Javascript, and
more.  Specifically, a Fortune 50 company I recently worked for has such a
policy.  By embedding jscript code in a *.jpg file, such policies and
procedures are circumvented, and MS has helped the "evil hacker" attack
another victim because they have so far refused to address the real issue --
ignoring MIME type definitions.


--Rebecca Kastl


On Sun, 29 Jul 2001, Microsoft Security Response Center wrote:


*     If script were included within a .txt, .jpg or other file and
hosted on a web site, it could be opened automatically by a page on the
site.  However, the script would run in the web page's domain, so it
would be subject to all the same limitations as script on the page
itself.  That is, embedding the script within the file wouldn't gain the
attacker any capabilities.

Scott Culp
Security Program Manager
Microsoft Security Response Center
Previous By Date Next
Previous By Thread Next

Current thread: